3.1.1.8.2 primaryGroupID

Let O be the object whose primaryGroupID attribute is being updated.

Let G be the group object such that the value of the primaryGroupId attribute of O contains the RID of the objectSid attribute of G prior to the update.

Let G' be the group object such that the value of the primaryGroupId attribute of O contains the RID of the objectSid attribute of G' after the update.

The following MUST be true prior to the update:

1. The groupType of G MUST be one of the following two values: GROUP_TYPE_SECURITY_ACCOUNT or GROUP_TYPE_SECURITY_RESOURCE.

2. The groupType of G' MUST be one of the following two values: GROUP_TYPE_SECURITY_ACCOUNT or GROUP_TYPE_SECURITY_RESOURCE.

3. O MUST NOT be in the member attribute of G.

4. O MUST be in the member attribute of G'.

If the update to the primaryGroupID attribute of O is NOT a result of an internal trigger, all of the following constraints MUST be satisfied after the update:

1. O MUST be in the member attribute of G.

2. O MUST NOT be in the member attribute of G'.